From a599a9f99862863cba35758751f527d339c665a7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 15 Feb 2021 15:27:55 +0100 Subject: [PATCH] forward NewTestcase, executor as arg to EventManager::process --- afl/src/events/llmp.rs | 37 ++++-- afl/src/events/logger.rs | 13 +- afl/src/events/mod.rs | 20 ++- afl/src/lib.rs | 2 +- afl/src/mutators/scheduled.rs | 4 +- afl/src/observers/mod.rs | 10 +- afl/src/state/mod.rs | 4 +- fuzzers/libfuzzer_dummy/src/mod.rs | 10 +- fuzzers/libfuzzer_libpng/ccc | 200 ----------------------------- 9 files changed, 60 insertions(+), 240 deletions(-) delete mode 100644 fuzzers/libfuzzer_libpng/ccc diff --git a/afl/src/events/llmp.rs b/afl/src/events/llmp.rs index e99c4e02ae..81b9b7b579 100644 --- a/afl/src/events/llmp.rs +++ b/afl/src/events/llmp.rs @@ -16,6 +16,8 @@ use crate::{ llmp::{self, LlmpClient, LlmpClientDescription, Tag}, shmem::ShMem, }, + executors::{HasObservers, Executor}, + observers::ObserversTuple, corpus::Corpus, events::{BrokerEventResult, Event, EventManager}, executors::ExitKind, @@ -248,18 +250,21 @@ where } // Handle arriving events in the client - fn handle_in_client( + fn handle_in_client( &mut self, state: &mut State, - _sender_id: u32, + sender_id: u32, event: Event, + _executor: &mut E, ) -> Result<(), Error> where C: Corpus, + E: Executor + HasObservers, FT: FeedbacksTuple, R: Rand, OC: Corpus, OFT: FeedbacksTuple, + OT: ObserversTuple { match event { Event::NewTestcase { @@ -273,11 +278,17 @@ where // TODO: here u should match client_config, if equal to the current one do not re-execute // we need to pass engine to process() too, TODO #[cfg(feature = "std")] - println!("Received new Testcase"); - let observers = postcard::from_bytes(&observers_buf)?; + println!("Received new Testcase from {}", sender_id); + + let observers: OT = postcard::from_bytes(&observers_buf)?; // TODO include ExitKind in NewTestcase - let interestingness = state.is_interesting(&input, &observers, ExitKind::Ok)?; - state.add_if_interesting(input, interestingness)?; + let fitness = state.is_interesting(&input, &observers, ExitKind::Ok)?; + if fitness > 0 { + if !state.add_if_interesting(input, fitness)?.is_none() { + #[cfg(feature = "std")] + println!("Added received Testcase"); + } + } Ok(()) } _ => Err(Error::Unknown(format!( @@ -306,16 +317,19 @@ where } } - fn process( + fn process( &mut self, state: &mut State, + executor: &mut E, ) -> Result where C: Corpus, + E: Executor + HasObservers, FT: FeedbacksTuple, R: Rand, OC: Corpus, OFT: FeedbacksTuple, + OT: ObserversTuple { // TODO: Get around local event copy by moving handle_in_client let mut events = vec![]; @@ -340,7 +354,7 @@ where let count = events.len(); events .drain(..) - .try_for_each(|(sender_id, event)| self.handle_in_client(state, sender_id, event))?; + .try_for_each(|(sender_id, event)| self.handle_in_client(state, sender_id, event, executor))?; Ok(count) } @@ -451,18 +465,21 @@ where .send_buf(_LLMP_TAG_RESTART, &state_corpus_serialized) } - fn process( + fn process( &mut self, state: &mut State, + executor: &mut E, ) -> Result where C: Corpus, + E: Executor + HasObservers, FT: FeedbacksTuple, R: Rand, OC: Corpus, OFT: FeedbacksTuple, + OT: ObserversTuple { - self.llmp_mgr.process(state) + self.llmp_mgr.process(state, executor) } fn fire( diff --git a/afl/src/events/logger.rs b/afl/src/events/logger.rs index d018cf6ff6..7cf489bf61 100644 --- a/afl/src/events/logger.rs +++ b/afl/src/events/logger.rs @@ -5,6 +5,8 @@ use alloc::{string::ToString, vec::Vec}; use crate::{ corpus::Corpus, events::{BrokerEventResult, Event, EventManager}, + executors::{HasObservers, Executor}, + observers::ObserversTuple, feedbacks::FeedbacksTuple, inputs::Input, state::State, @@ -31,21 +33,24 @@ where I: Input, ST: Stats, //CE: CustomEvent, { - fn process( + fn process( &mut self, state: &mut State, + _executor: &mut E, ) -> Result where C: Corpus, + E: Executor + HasObservers, FT: FeedbacksTuple, R: Rand, OC: Corpus, OFT: FeedbacksTuple, + OT: ObserversTuple { let count = self.events.len(); while self.events.len() > 0 { let event = self.events.pop().unwrap(); - self.handle_in_client(state, 0, event)?; + self.handle_in_client(state, event)?; } Ok(count) } @@ -62,7 +67,7 @@ where OC: Corpus, OFT: FeedbacksTuple, { - match Self::handle_in_broker(&mut self.stats, 0, &event)? { + match Self::handle_in_broker(&mut self.stats, &event)? { BrokerEventResult::Forward => self.events.push(event), BrokerEventResult::Handled => (), }; @@ -85,7 +90,6 @@ where // Handle arriving events in the broker fn handle_in_broker( stats: &mut ST, - _sender_id: u32, event: &Event, ) -> Result { match event { @@ -134,7 +138,6 @@ where fn handle_in_client( &mut self, _state: &mut State, - _sender_id: u32, event: Event, ) -> Result<(), Error> where diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 35838c32f9..38aed7d7cc 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -10,6 +10,7 @@ use serde::{Deserialize, Serialize}; use crate::{ corpus::Corpus, feedbacks::FeedbacksTuple, inputs::Input, observers::ObserversTuple, + executors::{HasObservers, Executor}, state::State, utils::Rand, Error, }; @@ -156,16 +157,19 @@ where /// Lookup for incoming events and process them. /// Return the number of processes events or an error - fn process( + fn process( &mut self, state: &mut State, + executor: &mut E, ) -> Result where C: Corpus, + E: Executor + HasObservers, FT: FeedbacksTuple, R: Rand, OC: Corpus, - OFT: FeedbacksTuple; + OFT: FeedbacksTuple, + OT: ObserversTuple; /// Serialize all observers for this type and manager fn serialize_observers(&mut self, observers: &OT) -> Result, Error> @@ -226,16 +230,19 @@ impl EventManager for NopEventManager where I: Input, { - fn process( + fn process( &mut self, _state: &mut State, + _executor: &mut E, ) -> Result where C: Corpus, + E: Executor + HasObservers, FT: FeedbacksTuple, R: Rand, OC: Corpus, OFT: FeedbacksTuple, + OT: ObserversTuple, { Ok(0) } @@ -259,10 +266,9 @@ where #[cfg(test)] mod tests { - use crate::bolts::tuples::{tuple_list, MatchNameAndType, Named}; + use crate::bolts::tuples::{tuple_list}; use crate::events::Event; use crate::inputs::bytes::BytesInput; - use crate::observers::ObserversTuple; use crate::observers::StdMapObserver; use crate::utils::current_time; @@ -272,7 +278,7 @@ mod tests { fn test_event_serde() { let obv = StdMapObserver::new("test", unsafe { &mut MAP }); let map = tuple_list!(obv); - let observers_buf = map.serialize().unwrap(); + let observers_buf = postcard::to_allocvec(&map).unwrap(); let i = BytesInput::new(vec![0]); let e = Event::NewTestcase { @@ -296,7 +302,7 @@ mod tests { time: _, executions: _, } => { - let o = map.deserialize(&observers_buf).unwrap(); + let o: tuple_list!(StdMapObserver::) = postcard::from_bytes(&observers_buf).unwrap(); let test_observer = o.match_name_type::>("test").unwrap(); assert_eq!("test", test_observer.name()); } diff --git a/afl/src/lib.rs b/afl/src/lib.rs index 24fb73849f..0ab68a8c77 100644 --- a/afl/src/lib.rs +++ b/afl/src/lib.rs @@ -68,7 +68,7 @@ where self.stages_mut() .perform_all(rand, executor, state, manager, idx)?; - manager.process(state)?; + manager.process(state, executor)?; Ok(idx) } diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index 9714fedd4c..9df163c78e 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -277,7 +277,7 @@ where pub fn new_default() -> Self { let mut scheduled = StdScheduledMutator::::new(); scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_byteflip); + /*scheduled.add_mutation(mutation_byteflip); scheduled.add_mutation(mutation_byteinc); scheduled.add_mutation(mutation_bytedec); scheduled.add_mutation(mutation_byteneg); @@ -307,7 +307,7 @@ where scheduled.add_mutation(mutation_tokenreplace); scheduled.add_mutation(mutation_crossover_insert); - scheduled.add_mutation(mutation_crossover_replace); + scheduled.add_mutation(mutation_crossover_replace);*/ //scheduled.add_mutation(mutation_splice); HavocBytesMutator { diff --git a/afl/src/observers/mod.rs b/afl/src/observers/mod.rs index 6edd74ef88..ee506ce7fb 100644 --- a/afl/src/observers/mod.rs +++ b/afl/src/observers/mod.rs @@ -57,18 +57,10 @@ pub trait ObserversTuple: /// Do whatever you need to do after a run. /// This is called right after the last execution fn post_exec_all(&mut self) -> Result<(), Error>; + //fn for_each(&self, f: fn(&dyn Observer)); //fn for_each_mut(&mut self, f: fn(&mut dyn Observer)); - /// Serialize this tuple to a buf - fn serialize(&self) -> Result, Error> { - Ok(postcard::to_allocvec(&self)?) - } - - /// Deserilaize - fn deserialize(&self, serialized: &[u8]) -> Result { - Ok(postcard::from_bytes(serialized)?) - } } impl ObserversTuple for () { diff --git a/afl/src/state/mod.rs b/afl/src/state/mod.rs index 8f150d2830..91129e616e 100644 --- a/afl/src/state/mod.rs +++ b/afl/src/state/mod.rs @@ -159,7 +159,7 @@ where phantom: PhantomData, }, )?; - manager.process(self)?; + manager.process(self, executor)?; Ok(()) } } @@ -456,7 +456,7 @@ where phantom: PhantomData, }, )?; - manager.process(self)?; + manager.process(self, executor)?; Ok(()) } diff --git a/fuzzers/libfuzzer_dummy/src/mod.rs b/fuzzers/libfuzzer_dummy/src/mod.rs index 17891b8609..1cf3588e80 100644 --- a/fuzzers/libfuzzer_dummy/src/mod.rs +++ b/fuzzers/libfuzzer_dummy/src/mod.rs @@ -8,9 +8,9 @@ use afl::{ bolts::{tuples::tuple_list, shmem::UnixShMem}, corpus::{Corpus, InMemoryCorpus}, events::setup_restarting_mgr, - events::{SimpleStats}, + stats::{SimpleStats}, executors::{inprocess::InProcessExecutor, Executor, ExitKind}, - feedbacks::MaxMapFeedback, + feedbacks::{CrashFeedback, MaxMapFeedback}, inputs::Input, mutators::{scheduled::HavocBytesMutator, HasMaxSize}, observers::StdMapObserver, @@ -40,7 +40,7 @@ where __lafl_edges_map[2] = 1; if buf.len() > 1 && buf[1] == 'b' as u8 { __lafl_edges_map[3] = 1; - std::process::abort(); + //std::process::abort(); } } } @@ -64,7 +64,7 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), Error> { // The restarting state will spawn the same process again as child, then restartet it each time it crashes. let (state_opt, mut restarting_mgr) = - setup_restarting_mgr::<_, _, _, _, UnixShMem, _>(stats, broker_port).expect("Failed to setup the restarter".into()); + setup_restarting_mgr::<_, _, _, _, _, _, UnixShMem, _>(stats, broker_port).expect("Failed to setup the restarter".into()); let edges_observer = StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { &mut __lafl_edges_map[0] as *mut u8 }, __lafl_max_edges_size as usize); @@ -78,6 +78,8 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), Error> { &NAME_COV_MAP, &edges_observer )), + InMemoryCorpus::new(), + tuple_list!(CrashFeedback::new()), ) }, }; diff --git a/fuzzers/libfuzzer_libpng/ccc b/fuzzers/libfuzzer_libpng/ccc deleted file mode 100644 index 3fa82ce3ba..0000000000 --- a/fuzzers/libfuzzer_libpng/ccc +++ /dev/null @@ -1,200 +0,0 @@ -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -Connected to port 1337 -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -First run. Let's set it all up -We're a client, let's fuzz :) -Loading file "./corpus/not_kitty_alpha.png" ... -Loading file "./corpus/not_kitty.png" ... -Loading file "./corpus/not_kitty_icc.png" ... -Loading file "./corpus/not_kitty_gamma.png" ... -We imported 4 inputs from disk. -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 44163 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 45491 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 46731 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 47582 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 47827 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 48092 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 49215 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 50339 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 50610 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 51319 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 51560 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 52084 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 52352 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 53343 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 55900 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 56577 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 57101 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 57367 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 58069 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 58335 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 59147 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 60457 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 60723 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 60989 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 61386 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 61643 bytes from previous instance) -We're a client, let's fuzz :) -Child crashed! -Waiting for broker... -Bye! -Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng" -We're a client, let's fuzz :) -Subsequent run. Let's load all data from shmem (received 62747 bytes from previous instance) -We're a client, let's fuzz :)